Configuring LDAP lookups for EAP and inner-tunnel
Alexander Clouter
alex at digriz.org.uk
Fri Sep 24 12:42:05 CEST 2010
Alan DeKok <aland at deployingradius.com> wrote:
>
>> So my assumption is that the eap module doesn't use the inner tunnel for
>> tls.
>
> Yes.
>
> The solution is to move the LDAP checks to the "post-auth" stage.
>
Just something for the archives...
Or *after* eap in authorize{} where eap is called by:
----
authorize {
....
eap {
ok = return
}
ldap
....
}
----
It is handy to have ldap in the authorise section as you can then put
your MAC address blacklists into LDAP too.
The downside is that if you want to then do host based VLANing (using
Ldap-UserDn) in post-auth you have nothing to work with as 'ldap' was
not invoked on the final EAP frame.
I work around this by having a perl caching module (alas the
experimental FreeRADIUS one does not quite seem to be suitable for what
I need, from what I can tell):
----
perl cache_ldap-userdn {
module = ${confdir}/cache_ldap-userdn.pm
func_authorize = authorize
func_post_auth = post_auth
}
----
The perl module is available for now at:
http://stuff.digriz.org.uk/cache_ldap-userdn.pm
Then my virtual server looks like:
----
authorize {
....
eap {
ok = return
}
# typically this is the *last* thing in your authorize{}
# section as under the 'if()' clause you would decide to
# reject the user or whatever, saving you going through
# the whole EAP process and letting you reject early.
ldap
if (ok) {
cache_ldap-userdn
}
}
post-auth {
....
if (!(Ldap-UserDn)) {
cache_ldap-userdn
}
ldap
....
}
----
Now you get all the benefits of EAP with 'ok = return' but do
not lose Ldap-UserDn due to skipped LDAP module calls.
The perl script should be straight forward to let people cache other
attributes too and what not, hopefully simple enough for everyone to
amend to their needs. Suggestions for improvement welcomes, it's
something I put together in an hour last week.
As a statistic, it seems an EAP session for us now has two LDAP lookups
rather than 10+. The first one is for checking if the MAC is
blacklisted, the second one works out (via a group membership) which
VLAN the user should be in. Yay.
Email me if you need any help with my perl module.
Cheers
--
Alexander Clouter
.sigmonster says: Given my druthers, I'd druther not.
More information about the Freeradius-Users
mailing list